From security researcher/journalist Kevin Poulsen at Wired’s Threat Level:
The bug had been around since at least October (Thanks to Rose for tipping me off), during which time it had been gleefully exploited by voyeurs, hackers, entrepreneurs and lechers; you can find pages and pages of public message board comments around the web in which posters are peeking in on 14 and 15-year-old girls and sharing what they find.
Ad-supported web sites with names like Can’t Hide and MySpacePrivateProfile.com emerged to earn a buck off the glitch. One such site reports that its users have accessed, or attempted to access, 77,000 private profiles — 3,000 of them today.
The day after he reported it to MySpace, they fixed it. Good for them. And the websites that exploited the vulnerability aren’t delivering private photos any more. Hold on, though: why hadn’t they fixed it earlier? Kevin ends with
That seems to leave just two possibilities:
- MySpace didn’t know this was going on before.
- MySpace knew about it, but didn’t take action until the press noticed.
I’ll have more next week.
We shall see …
Claims by MySpace, Facebook, or any other online service that they protect people’s personal information only hold water if they pay a lot of attention to security when they’re building their software and running their site. One of the objections to the potential email list in the MySpace “child safety” agreement with state attorneys general was that the list would be valuable to spammers and scammers as well as child predators. Situations like this, or the recent compromise of thousands of accounts on adult web sites where the company similarly didn’t react for months, show how real this issue is.